You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Kingston <er...@esreco.net> on 2010/11/12 16:55:07 UTC
[users@httpd] Apache failing to start after upgrade.
Hi,
I'm hoping someone here can help. Our web server was recently scanned by a
security company to make sure we are PCI compliant. They found two
vulnerabilities, both related to the version of apache and openssl installed
on our server. In order to bring the server up to PCI compliance we had to
upgrade both apache and openssl. Apache was originally version 2.2.16 and
openssl was 0.9.8n. I upgraded apache to 2.2.17 and openssl to 1.0.0a only
to run into a problem starting Apache. When starting apache I get the
following error....
[error] Unable to initialize TLS servername extension callback (incompatible
OpenSSL version?)
This system isn't a critical production system, but it is one that we use
periodically for various web applications. I've exhausted every avenue of
research I can think of. I've googled every possible permutation for this
error message and the associated applications I can think of and have not
been able to resolve this error. I've scanned through many mail archives
and have tried all of their suggestions to no avail. Usually when I'm
unable to find a specific solution to a problem like this, it means that
it's something simple that I've overlooked and many others haven't. I'm at
my wits end and hope that someone here can help me.
Every document on Apache and Openssl I can find says that Apache supports
SNI from 2.2.13 and later and openSSL supports it from 0.9.8 on up. My
system stats are as follows....
uname output....
FreeBSD 8.1-STABLE FreeBSD 8.1-STABLE #15: Sat Sep 25 15:29:11 MDT 2010
Apache version...
apache-2.2.17_1
OpenSSL version....
OpenSSL 1.0.0a 1 Jun 2010
I've reinstalled Apache and have checked the make output to be sure that it
is compiling against the new version of OpenSSL 1.0.0a. I've checked the
output of 'ldd /usr/local/libexec/apache22/mod_ssl.so' and it has been
linked to the new OpenSSL 1.0.0a libraries.
I appreciate whatever help and suggestions anyone can give. I look forward
to your response. Thank you.
Eric
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache failing to start after upgrade.
Posted by Tom Evans <te...@googlemail.com>.
On Fri, Nov 12, 2010 at 4:45 PM, Justin Pasher <ju...@distribion.com> wrote:
> ----- Original Message -----
>>
>> From: Eric Kingston <er...@esreco.net>
>> Date: Fri, 12 Nov 2010 08:55:07 -0700
>> Subject: [users@httpd] Apache failing to start after upgrade.
>> To: users@httpd.apache.org
>>
>>
>> Hi,
>>
>> I'm hoping someone here can help. Our web server was recently scanned by
>> a
>> security company to make sure we are PCI compliant. They found two
>> vulnerabilities, both related to the version of apache and openssl
>> installed
>> on our server. In order to bring the server up to PCI compliance we had
>> to
>
> This is not an answer to your problem (I don't have any experience yet with
> OpenSSL 1.0), but something to note. Many "security" companies that scan web
> servers just blindly run some default scan that tries to check software
> versions from a list of versions with known vulnerabilities. If you are
> running the software from a package (such as a .deb or .rpm), most vendors
> will release back patches to older versions that fix security flaws in the
> software. For example, the Debian Stable branch (Lenny) will not supply the
> latest version of apache or openssl, because it came with a specific version
> when it was frozen as stable (in this case Apache 2.2.9 and OpenSSL 0.9.8g).
> Does this mean you are vulnerable to every security bug that was fixed in
> subsequent releases? Absolutely not. Debian will release updates via their
> security update mirrors that back patch many of those bug fixes (if not all
> of them). This holds true for any Linux system that uses this modal, such as
> RedHat EL. Many "security" companies don't understand this and only go by
> "My security scanning software says you're vulnerable, so you need to
> upgrade".
>
> The better thing to find out from them is more specifically which CVE their
> scan is complaining about so you can determine whether that had already been
> patched in your version. Now, since you are running FreeBSD, I'm not sure if
> they always just offer the latest source code through ports and you are
> responsible for making sure you are running the latest version or they have
> "locked down" versions with security updates available. From that
> standpoint, I can't offer any first hand experience (it seems like you've
> already done the basic checks like verifying apache is linked to the correct
> OpenSSL module).
>
> Good luck.
>
> --
> Justin Pasher
>
Just FYI on OpenSSL/FreeBSD:
OpenSSL is part of the base FreeBSD installation, there are no
packages, and all appropriate security fixes are backported to
maintained security branches. In FreeBSD 8.1/8-STABLE, the base
OpenSSL is 0.9.8n.
If you want to run a later version than that offered by your FreeBSD
version, then you can install from ports/pkg newer versions.
IIRC there is a flag you can set in /etc/make.conf to override the
base openssl, so that everything (from ports) links with the ports
version - WITH_OPENSSL_PORTS=YES
Sorry I can't help with the OP's problem - perhaps ask on
freebsd-apache@freebsd.org (+ perhaps questions@, that gets a lot of
eyeballs).
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache failing to start after upgrade.
Posted by Justin Pasher <ju...@distribion.com>.
----- Original Message -----
> From: Eric Kingston <er...@esreco.net>
> Date: Fri, 12 Nov 2010 08:55:07 -0700
> Subject: [users@httpd] Apache failing to start after upgrade.
> To: users@httpd.apache.org
>
>
> Hi,
>
> I'm hoping someone here can help. Our web server was recently scanned by a
> security company to make sure we are PCI compliant. They found two
> vulnerabilities, both related to the version of apache and openssl installed
> on our server. In order to bring the server up to PCI compliance we had to
This is not an answer to your problem (I don't have any experience yet
with OpenSSL 1.0), but something to note. Many "security" companies that
scan web servers just blindly run some default scan that tries to check
software versions from a list of versions with known vulnerabilities. If
you are running the software from a package (such as a .deb or .rpm),
most vendors will release back patches to older versions that fix
security flaws in the software. For example, the Debian Stable branch
(Lenny) will not supply the latest version of apache or openssl, because
it came with a specific version when it was frozen as stable (in this
case Apache 2.2.9 and OpenSSL 0.9.8g). Does this mean you are vulnerable
to every security bug that was fixed in subsequent releases? Absolutely
not. Debian will release updates via their security update mirrors that
back patch many of those bug fixes (if not all of them). This holds true
for any Linux system that uses this modal, such as RedHat EL. Many
"security" companies don't understand this and only go by "My security
scanning software says you're vulnerable, so you need to upgrade".
The better thing to find out from them is more specifically which CVE
their scan is complaining about so you can determine whether that had
already been patched in your version. Now, since you are running
FreeBSD, I'm not sure if they always just offer the latest source code
through ports and you are responsible for making sure you are running
the latest version or they have "locked down" versions with security
updates available. From that standpoint, I can't offer any first hand
experience (it seems like you've already done the basic checks like
verifying apache is linked to the correct OpenSSL module).
Good luck.
--
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org